Unable to log into an Azure VM using Entra ID (following official Microsoft instructions).

JSK1 0 Reputation points
2026-07-01T09:41:06.34+00:00

Hello. I have spent the past week repeatedly trying to use Entra ID with Azure VM's. I have tried these methods so far:

-Sign in using passwordless authentication with Microsoft Entra ID

-Sign in using password/passwordless authentication with Microsoft Entra ID (using a web account)

-Sign in using the Bastion

The instructions I was following are here: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

I have also experimented with Entra domains, but they appear to have been unnecessary, as my test VM's have been joining with Entra automatically when I specify Entra login during creation. They also, incidentally, don't work, but this may be because I don't have a P2 subscripton.

Here's the output from dsregcmd /status:

+----------------------------------------------------------------------+

| Device State |

+----------------------------------------------------------------------+

AzureAdJoined : YES

EnterpriseJoined : NO

DomainJoined : NO

Virtual Desktop : NOT SET

Device Name : EntraTestVM

+----------------------------------------------------------------------+

| Device Details |

+----------------------------------------------------------------------+

DeviceId : 0e7ee404-ec52-43cf-b356-29740e7bb3b2

Thumbprint : 34896559A93C672E2492262D706855CAF6C80148

DeviceCertificateValidity : [ 2026-06-30 15:42:21.000 UTC -- 2036-06-30 16:12:21.000 UTC ]

KeyContainerId : af0531e2-0751-4797-a2fb-1e2c0311ef00

KeyProvider : Microsoft Platform Crypto Provider

TpmProtected : YES

DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+

| Tenant Details |

+----------------------------------------------------------------------+

TenantName :

TenantId : 2d283d78-981b-4659-945e-b466da8398b1

AuthCodeUrl : https://login.microsoftonline.com/2d283d78-981b-4659-945e-b466da8398b1/oauth2/authorize

AccessTokenUrl : https://login.microsoftonline.com/2d283d78-981b-4659-945e-b466da8398b1/oauth2/token

MdmUrl :

MdmTouUrl :

MdmComplianceUrl :

SettingsUrl :

JoinSrvVersion : 3.0

JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/

JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net

KeySrvVersion : 1.0

KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/

KeySrvId : urn:ms-drs:enterpriseregistration.windows.net

WebAuthNSrvVersion : 1.0

WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/2d283d78-981b-4659-945e-b466da8398b1/

WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net

DeviceManagementSrvVer : 1.0

DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/2d283d78-981b-4659-945e-b466da8398b1/

DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

KerbSpn : adrs/enterpriseregistration.windows.net

KerbUrl : https://login.microsoftonline.com/2d283d78-981b-4659-945e-b466da8398b1/kerberos

+----------------------------------------------------------------------+

| User State |

+----------------------------------------------------------------------+

NgcSet : NO

WorkplaceJoined : NO

WamDefaultSet : NO

+----------------------------------------------------------------------+

| SSO State |

+----------------------------------------------------------------------+

AzureAdPrt : NO

AzureAdPrtAuthority :

AcquirePrtDiagnostics : PRESENT

Previous Prt Attempt : 2026-06-30 19:39:30.371 UTC

Attempt Status : 0xc0000072

User Identity : ******@----------.onmicrosoft.com

Credential Type : Password

Correlation ID : e456674b-458e-4df0-b925-d83952ee4067

Endpoint URI : https://login.microsoftonline.com/2d283d78-981b-4659-945e-b466da8398b1/oauth2/token

HTTP Method : POST

HTTP Error : 0x0

HTTP status : 400

Server Error Code : invalid_grant

Server Error Description : AADSTS50034: The user account {EUII Hidden} does not exist in the 2d283d78-981b-4659-945e-b466da8398b1 directory. To sign into this application, the account must be added to the directory. Trace ID: c90d857a-6347-43a6-a9b0-e2543aa51b00 Correlation ID: e456674b-458e-4df0-b925-d83952ee4067 Timestamp: 2026-06-30 19:39:30Z

EnterprisePrt : NO

EnterprisePrtAuthority :

+----------------------------------------------------------------------+

| Diagnostic Data |

+----------------------------------------------------------------------+

AadRecoveryEnabled : NO

Executing Account Name : EntraTestVM\azureuser

KeySignTest : PASSED

DisplayNameUpdated : YES

OsVersionUpdated : YES

HostNameUpdated : YES

Last HostName Update : NONE

+----------------------------------------------------------------------+

| IE Proxy Config for Current User |

+----------------------------------------------------------------------+

Auto Detect Settings : YES

Auto-Configuration URL :

Proxy Server List :

Proxy Bypass List :

+----------------------------------------------------------------------+

| WinHttp Default Proxy Config |

+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+

| Ngc Prerequisite Check |

+----------------------------------------------------------------------+

IsDeviceJoined : YES

IsUserAzureAD : NO

PolicyEnabled : YES

PostLogonEnabled : YES

DeviceEligible : NO

SessionIsNotRemote : NO

CertEnrollment : none

PreReqResult : WillNotProvision

According to the official instructions linked to above, the configuration indicated should be sufficient for Entra ID to work. However, I have now built over 10 VMs, with new VNets and resource groups each time, and no matter how many times I have modified the settings, according to forum posts, YouTubes, and so on, nothing works. Could this be a problem at the subscription level, or something along those lines?

Microsoft have been completely unwilling to help with this, and have referred me to an AI that claimed my deployments failed, something that hasn't happened in a single case (and the logs confirm this).

Clearly, some people on this forum use Entra ID, correct? It seems nearly impossible to use, simply because following standard Microsoft instructions produces no results. I could tinker with nonstandard configurations on these VMs for weeks, as is recommended on various forums, but the point of Entra, and of Azure, is to be more plug-and-play than that, correct?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
  1. Isuru Heendeniya 70 Reputation points
    2026-07-01T15:31:10.6666667+00:00

    Hi,

    Since your VM entra joined just try this.Go to devices .And left hand column there is an option named remote connection configuration and Click Microsoft remote desktop and enable it and check .I hope you have configured the RBAC role correctly for the Entra user or Security group. And AADLogin extenstion also installed.User's image

    thank you

    Kind regards

    Isuru

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.